Co-Management Endpoints and BitLocker

Matt Dillon 1,211 Reputation points
2022-10-25T16:48:47.297+00:00

Trying to grasp how everything works and it is slowly sinking in. I have a Hybrid Azure AD Autopilot set up in my comanaged environment. My fresh test pc's run the get-windowsautopilotinfo script and enroll and kick off autopilot just fine. My endpoint gets Hybrid Domain joined, the 2 required apps install and the rest of the apps I have designated for my hybrid security group install afterwards. Eventually the SCCM client installs. I am not seeing BitLocker kick off until after the collection is updated in SCCM. I was hoping to encrypt it during the Hybrid Autopilot step. Here are some other details:

Cloud Attach is set up as follows:

Configure upload tab - Upload all devices managed by MECM and enable Endpoint Analytics
Enablement - Automatic enrollment in Intune - All
Workloads - all are set to Pilot Intune (hoping to move some to Intune soon)

Any direction will be helpful. please and thank you!

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,774 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,602 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 45,251 Reputation points Microsoft Vendor
    2022-10-26T01:56:43.557+00:00

    @Matt Dillon , From your description, it seems you use Autopilot Hybrid Azure AD enrollment and co-management. In Fact, there are two enrollment methods. You can choose one of them to do the enrollment.
    https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

    For co-management, there are two paths to do the enrollment. One is for existing Configuration Manager device. The other is for Internet device with first enrolled into Intune. Here is a link with more details for your reference:
    https://learn.microsoft.com/en-us/mem/configmgr/comanage/quickstart-paths

    Based on my research, there is a new technology to put Autopilot into co-management. But currently, Hybrid Azure AD-joined devices is not supported.
    https://learn.microsoft.com/en-us/managed-desktop/get-started/autopilot-co-management

    Meanwhile, I notice you want to know if BitLocker can enable during Autopilot enrollment. During Windows Autopilot Enrollment Status page, it will install some applications and applied some profiles.
    https://learn.microsoft.com/en-us/mem/autopilot/enrollment-status

    For BitLocker, in Windows 10 1809 and above, it will wait to begin encrypting until the end of OOBE, after the ESP device configuration phase has completed. Here is a link with more details:
    https://oofhours.com/2019/08/26/bitlocker-esp-and-windows-autopilot-working-in-harmony/
    Note: Non-Microsoft link, just for your reference.

    To enable BitLocker for windows device with Microsoft Intune, we can configure "Endpoint security disk encryption policy" or "Device configuration profile for endpoint protection". Here is a link with more details for your reference:
    https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

    For your scenario, I suggest choosing only one method to do the enrollment to avoid any issue. Then try to deploy BitLocker policy via Intune. Check the policy to see if is applied to the device successfully. If not, we can follow the following links to do the troubleshooting:
    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-bitlocker-policies
    https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-bitlocker-policies-in-microsoft/ba-p/863670

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.